Skip to main content

Access rules

  • Permissions help define which users can access which apps. They can be created using the url:
    https://admin-mydomain.trustelem.com/app#/perms

  • Permissions for applications using SAML2.0, OpenID Connect or without SSO may depend on the user's public IP address.
    In this case, the internal IPs must be defined on the settings, other IPs are external.
    Internal IPs are usually the public IPs of the company offices.
    https://admin-mydomain.trustelem.com/app#/security/main --> 'Internal network'

  • Permissions for LDAP and RADIUS applications do not have IP zones.
    Note: LDAP permissions allow the application to:

    • source users with permission
    • authenticate users with permission
      accessrule.png

SAML, OpendID Connect, No SSO possible values

  • no rule: does not apply any rule, so other permissions can remain active

  • default: apply the default rule
    https://admin-mydomain.trustelem.com/app#/security/main --> 'Default authentication level for users'

  • One Factor: only one authentication factor is needed to access the application

  • Two Factor: two authentication factors are needed to access the application

  • Forbidden: the user can’t access the application

Priorities

When a user / group is affected by more than one access rule for a single application, the following priorities apply:

  • A user access rule wins over a group access rule, whether it is more restrictive or not

  • The most restrictive access rule wins

In summary:

Access forbidden (user) > 2 factors (user) > 1 factor (user) > Access forbidden (group) > 2 factors (group) > 1 factor (group)

Example

John Doe is in groups “Customer Success” and “Support”

Permissions defined:

  • Subscription default: internal -> 1 factor | external -> 2 factors

  • Customer Success for salesforce: internal -> 1 factor | external -> 2 factors

  • Support for salesforce: internal -> 2 factors | external -> forbidden

  • John Doe for salesforce: internal -> no rule | external -> 2 factors

No permission is set to default, so it doesn't apply.
For internal zone we have 1 factor and 2 factors for groups and not specified for user --> 2 factors win
For external zone we have 2 factors and forbidden for groups and 2 factors for user --> 2 factors win

John needs 2 factors to access salesforce for both internal and external zone.

LDAP possible values

  • no rule: does not apply any rule, so users can't be sourced and can't be authenticated

  • One Factor: users sourced, and only one authentication factor is needed to access the application

  • Two Factor: users sourced, and two authentication factors are needed to access the application. For TOTP codes, they have to be enter after the first factor, for instance: mypasswordTOTP

  • Forbidden: the user can’t access the application and can't be sourced

Radius possible values

  • no rule: does not apply any rule, so users can't be authenticated

  • 2nd Factor only: only the second factor are needed to access the application.

  • Two Factor: two authentication factors are needed to access the application.

  • Forbidden: the user can’t access the application and can't be sourced